step 2 assessment summary report

Title of document

Summary of the design assessment of Hitachi-GE Nuclear Energy's UK Advanced Boiling Water

Reactor (UK ABWR)

28 August 2014

Revision 0

of 40

© Office for Nuclear Regulation, 2014 If you wish to reuse this information visit www.onr.org.uk/copyright for details. Published 08/2014 For published documents, the electronic copy on the ONR website remains the most current publicly available version and copying or printing renders this document uncontrolled.

Office for Nuclear Regulation of 40

http://www.onr.org.uk/copyright

FOREWORD

Since undertaking Generic Design Assessments (GDAs) of the UK EPR and the AP1000 reactor designs, ONR has transformed as an organisation. We have vested as a stand-alone public corporation, increasing our independence from government, we have refreshed our mission to better reflect our new status and what we aspire to deliver - “efficient and effective regulation of the nuclear industry, holding it to account on behalf of the public” - and we have achieved one of the most successful IRRS missions that the IAEA has undertaken. I am proud that we have delivered this change whilst maintaining robust regulation of the nuclear estate in the UK and responding to requests for GDAs flowing from the Government’s new nuclear build policy. This is a pivotal time for the UK’s nuclear industry, as we continue to undertake rigorous assessment of new reactor technologies, license new sites and prepare to regulate the construction of the first new nuclear power station in 25 years. It provides opportunities for us all, and in ONR we look forward to the challenges of regulating the safety and security of the industry in this time of change. I believe that the GDA process has clear safety and security benefits, which have been borne out by our experience with the UK EPR and AP1000. Early regulatory engagement enables any necessary design changes to be identified through our technical assessment well before any final investment decision is made and construction has started. This enables investors and operators to understand the impact of regulatory requirements and to be clearly informed ahead of significant site work. We have also learned from our experience of the first GDAs, and have published a report on those lessons and updated our guidance. We will continue to improve our processes and listen to feedback from our stakeholders. I am pleased to publish this first report on our GDA of another reactor technology new to the UK, the UK Advanced Boiling Water Reactor (ABWR), which is proposed for deployment at the Wylfa and Oldbury-on-Severn sites. This reactor design differs from those already operating or proposed for construction in the UK, and brings diversity to the technologies that might be deployed. However, fleet deployments can also bring benefits and economies of scale and I expect that in future a balance will have to be struck. Regardless of the reactor technology, the level of rigour and quality with which we undertake our assessments will remain consistently high. The assessment to date has already highlighted some necessary design changes. This will provide Hitachi-GE with ample time to address these issues as they move through the subsequent steps of the GDA process. I would welcome your comments on this report, and we will continue to publish our findings and operate with the openness that the public expects of us throughout this process Andy Hall Chief Nuclear Inspector


EXECUTIVE SUMMARY The mission of the Office for Nuclear Regulation (ONR) is to “provide efficient and effective regulation of the nuclear industry, holding it to account on behalf of the public”. In the context of new nuclear build in the UK, regulation is initially undertaken via the Generic Design Assessment (GDA) process. This is a process that we developed to allow technical assessment of reactor designs where a site has not necessarily been determined, or an operating organisation or prospective licensee proposed. In essence it allows the nuclear regulators to consider the viability of reactor technologies on a ‘generic’ basis, ahead of any financial decisions or commencement of construction. ONR believe that this upfront process enables early identification and resolution of technical issues, and hence any design changes, to be understood and agreed early on, which provides a degree of regulatory certainty for investors. It is for Government to propose reactor technologies for GDA, not the ONR, and they do so on the basis that they consider those technologies most likely to be built and operated in the UK. However in addition to completing GDA successfully, prospective operators also have to secure a site licence, and there is on-going regulation under the nuclear site licence throughout the construction and commissioning periods. So far ONR have completed the GDA of the UK EPR, and issued a Design Acceptance Confirmation (DAC) in 2012, and completed Step 4 of the GDA of the Westinghouse AP1000 reactor design and issued an interim DAC in 2011. All of our assessment reports on these technologies are published on the joint regulators website. GDA is a step-wise assessment process, with increasing levels of detail throughout the four steps. Step 1 is the preparatory step and ONR made a statement on the joint regulators website in January 2014 that this Step had completed and that they were moving into Step 2. Step 2 is the commencement of technical assessment and is focused on understanding and assessing the fundamental safety claims, and acceptability of the UK ABWR within the UK regulatory regime. This is ONR’s first report on the Hitachi-GE Advanced Boiling Water Reactor (ABWR) design and it comes at the end of Step 2. This is a new type of reactor design for the UK, which is proposed for deployment on the Wylfa site on Anglesey and at Oldbury-on-Severn in Gloucestershire, and operated by Horizon Nuclear Power. ONR have considered the fundamental safety and security aspects of the design, and the Environment Agency (EA) has considered the environmental acceptability of the design, which is reported on separately. Overall, the interactions with Hitachi-GE as the Requesting Party (RP) throughout Step 2 have been positive, and ONR generally considers Hitachi-GE to be responsive, determined to understand and meet UK regulatory expectations, and open to constructive challenge and engagement. Hitachi-GE has worked consistently hard throughout Step 2 to provide material that meets UK regulatory expectations, which is to be commended. Their knowledge and understanding across the majority of the engineering and systems disciplines is generally good, however, in the science areas, and in particular Probabilistic Safety Assessment (PSA), ONR generally considers their knowledge of UK regulatory expectations to be less well developed, and we have been working with Hitachi-GE to bridge this gap. Furthermore in some of the science areas there has been very limited progress and a lack of material for assessment during Step 2. Where this is the case ONR has worked with Hitachi-GE to establish forward programmes of submissions to build regulatory confidence, and ONR is clear with Hitachi-GE that meeting the milestones in these plans is vital to continued progression through GDA within the timescales that they have set. ONR have also been able to highlight design modifications that will be required, which we consider a significant success so early in the process, as Hitachi-GE has the time to complete the analysis we will need.


There is a considerable amount of work to be undertaken by Hitachi-GE going forward, requiring significant capacity and capability across all of the topic areas for Hitachi-GE. ONR will continue to rigorously assess the safety and security submissions throughout Step 3 and Step 4, and will address potential issues of capacity and capability should they arise. ONR will also consider Hitachi-GE’s ability to produce holistic safety cases that recognise the dependencies between the individual technical topic areas as GDA progresses. However, at the end of our Step 2 assessments we have not identified any fundamental safety or security issues that might prevent issue of a DAC or that would need to be addressed in order to acquire one.


LIST OF ABBREVIATIONS ALARP As low as reasonably practicable

BSL Basic Safety level (in SAPs)

BSO Basic Safety Objective (in SAPs)

CNS Civil Nuclear Security (ONR)

HOW2 (Office for Nuclear Regulation) Business Management System

HSE The Health and Safety Executive

IAEA The International Atomic Energy Agency

NDA Nuclear Decommissioning Authority

ONR Office for Nuclear Regulation

PCER Pre-construction Environment Report

PCSR Pre-construction Safety Report

PSA Probabilistic Safety Assessment

PSR Preliminary Safety Report

RGP Relevant Good Practice

SAP Safety Assessment Principle(s) (HSE)

SFAIRP So far as is reasonably practicable

SSC System, Structure and Component

TAG (ONR) Technical Assessment Guide


TABLE OF CONTENTS 1 ................................................................................................................... 8 BACKGROUND2 ................................................................................................................. 8 INTRODUCTION3 ......................................................... 9 ONR EXPECTATIONS FOR MODERN REACTORS4 ......................................................... 9 ONR EXPECTATIONS FROM THE GDA PROCESS5 .............................................................................................. 10 ASSESSMENT STRATEGY6 ....................................... 10 MAIN FEATURES OF THE DESIGN AND SAFETY SYSTEMS7 ................................................................ 12 OVERSEAS REGUALTORS’ ASSESSMENTS8 .......................................................................................... 13 GDA COMMENTS PROCESS9 ....................................................................................... 14 SUMMARY OF ONR FINDINGS10 ................................................................................................................ 35 CONCLUSIONS11 .................................................................................................................. 37 REFERENCES12 ................................................................ 38 ANNEX 1 - STEP 2 DESCRIPTION AND AIMS


1 BACKGROUND

1. The Generic Design Assessment process was first developed in 2005 in response to anticipated applications for new reactor construction in the UK. The process was applied initially to four reactor designs from July 2007, following the publication of the Energy White Paper in May 2007. Two reactor designs, the EPR and the AP1000, progressed through the GDA process, achieving Interim Design Acceptance Confirmations (IDACs) in 2011. Westinghouse then decided to pause the GDA of the AP1000 reactor design, with 51 outstanding GDA Issues (technical matters that require resolution prior to achieving a DAC and prior to first nuclear concrete pour on site), and EDF/AREVA went on to complete GDA and were awarded a DAC for the EPR design in 2012.

2. In January 2013 ONR received a request from the then Energy Minister to undertake a GDA of the UK ABWR; a Hitachi-GE reactor design proposed for construction on the Wylfa site in Anglesey and at Oldbury-on-Severn in Gloucestershire. Hitachi-GE completed Step 1 of the GDA process in December 2013, and we began the technical assessment work – Step 2 of GDA in January 2014.

3. ONR will continue to undertake robust regulation of proposals for new reactor designs if requested to by Government.

2 INTRODUCTION

4. GDA is a process that ONR and the EA developed to allow technical assessment of reactor designs where a site has not necessarily been determined, or an operating organisation or prospective licensee proposed. In essence it allows the nuclear regulators to consider the viability of reactor technologies on a ‘generic’ basis, ahead of any financial decisions or commencement of construction. ONR believe that this upfront process enables resolution of technical issues, and hence any design changes, to be understood and agreed early on, which provides a degree of regulatory certainty for investors.

5. It is for Government to propose reactor technologies for GDA, not the ONR, and they do so on the basis that they consider those technologies most likely to be built and operated in the UK. However in addition to completing GDA successfully, prospective operators also have to secure a site licence, and there is on-going regulation under the nuclear site licence throughout the construction and commissioning periods.

6. So far ONR have completed the GDA of the UK EPR, issuing a DAC in 2012, and completed Step 4 of the GDA of the Westinghouse AP1000 reactor design and issued an interim DAC in 2011. All of our assessment reports on these technologies are published on our website.

7. This is ONR’s first report on the Hitachi-GE ABWR reactor design. This is a new type of reactor design to the UK, which is proposed for deployment on the Wylfa site on Anglesey and at Oldbury-on-Severn in Gloucestershire, operated by Horizon Nuclear Power.

8. GDA is a step-wise assessment process, with increasing levels of detail throughout the four steps. Step 1 is the preparatory step and we made a statement on our website in January 2014 that this Step had completed and that we were moving into Step2. Step 2 is the commencement of technical assessment and is focused on understanding and assessing the fundamental safety claims, and acceptability of the UK ABWR within the UK regulatory regime. Step 3 is an analysis of the design at the systems level and primarily focuses on the safety arguments. Step 3 typically takes around 12 months to complete. Step 4 is the detailed assessment phase and focuses on the evidence


provided by Hitachi-GE in the safety analysis, on a sampling basis, and typically takes around 28 months. At the end of Step 4, if the design is considered acceptable, ONR will issue a DAC. However if there are technical issues that remain outstanding, or if the design is not sufficiently complete, ONR may issue an interim DAC. The DAC can then be issued following resolution of the outstanding matters.

9. The regulatory philosophy is that the DAC is carried forward to support the site specific nuclear site licence application and supporting safety cases, which should only consider site specific issues (e.g. relating to local geology, external hazards etc).

10. This report is ONR’s first public statement on the ABWR and it comes at the end of Step 2. We have considered the fundamental safety and security aspects of the design. The EA working with Natural Resources Wales (NRW), who have taken over the EA’s role in Wales, has considered the environmental acceptability of the design, which is reported on separately.

3 ONR EXPECTATIONS FOR MODERN REACTORS

11. The overriding requirement for any nuclear facility proposed for construction in the UK is that the risk of potential accidents is reduced to as low as is reasonably practicable (ALARP). In simple terms ALARP is a requirement to take all measures to reduce risk where it is reasonable to do so. In most cases this is not done through an explicit comparison of costs and benefits, but rather by applying established relevant good practice (RGP) and standards. The development of relevant good practice and standards includes ALARP considerations, so in many cases meeting them is sufficient. In other cases, either where standards and relevant good practice are less evident or not fully applicable, the onus is on the RP/licensee to implement measures to the point where the costs of any additional measures (in terms of money, time or trouble – the sacrifice) would be grossly disproportionate to the further risk reduction that would be achieved (the safety benefit). ONR has detailed guidance on the demonstration of ALARP (Ref. 1).

12. In very broad terms ONR expects that new nuclear reactors are robust facilities that are designed to provide protection against all of the faults that can threaten the reactor, with an emphasis on the ability to safely shut down the reactor by stopping the nuclear chain reaction, providing cooling to the shutdown reactor and maintaining containment of the radioactivity. The adequacy of protection should be demonstrated by comprehensive safety analysis in the form of a safety case, which is submitted to ONR for assessment.

4 ONR EXPECTATIONS FROM THE GDA PROCESS

13. Our expectations for GDA are detailed in reference (Ref. 2). For clarity, the requirements for GDA step 2 are repeated in Annex 1 of this report.

14. The safety standards used are the 2006 Safety Assessment Principles (SAPs), which are ONR’s highest-level internal guidance to inspectors for assessing safety, and the underpinning Technical Assessment Guides (TAGs). The SAPs have been benchmarked against the IAEA Safety Standards.

15. In his report into the implications for the UK nuclear industry of the 2011 Fukushima accident, ONR’s Chief Nuclear Inspector recommended a formal review of ONR’s Safety Assessment Principles (SAPs). The review concluded that while no urgent changes were required, the SAPs should be updated to reflect both learning from


Fukushima and wider changes in the industry since the SAPs were last revised in 2006.

16. Following extensive work by ONR inspectors, other regulators and government departments, the project to revise the SAPs is now nearing completion, and proposals for an update have been drafted and published for external consultation. ONR’s inspectors have been cognisant of the proposed changes in their GDA step 2 assessments of Hitachi-GE’s submissions; hence they reflect post Fukushima learning.

5 ASSESSMENT STRATEGY

17. The aim of Step 2 was a high level review of the fundamental safety and security issues, and ONR focused on the safety ‘claims’ made by Hitachi-GE in the safety documentation; principally the Preliminary Safety Report (PSR). The words ‘claims, arguments and evidence’ are used in this report. The concept behind this construct is explained below using a simple analogy (previously cited in the Step 2 summary reports for the earlier GDAs):

18. For many people the purchase of a car is influenced by the fuel economy. If the manufacturer states in the brochure that the average miles per gallon (mpg) is 55, this is a claim, or an assertion. The brochure will often say why the car is able to meet the fuel economy figure claimed, such as the development of advanced engine management systems, use of lightweight materials etc; all of which are arguments. Furthermore the manufacturer may cite evidence of independent performance tests and trials to underpin its claims for average mpg.

19. All of the technical topic areas had an assessment strategy in place prior to Step 2, which defined the specific standards against which Hitachi-GE’s submissions were judged.

6 MAIN FEATURES OF THE DESIGN AND SAFETY SYSTEMS

6.1 BASIC DESCRIPTION

20. The development of the Advanced Boiling Water Reactor (ABWR) began in 1978, and was first adopted in the construction of the Kashiwazaki-Kariwa Nuclear Power Station Unit 6 and Unit 7, which commenced commercial operation in 1996 and 1997. At full power, a single ABWR reactor produces around 1350MWe of electricity.

21. The BWR uses demineralised water as a coolant and neutron moderator. Heat is produced by nuclear fission in the reactor core, and this causes the cooling water to boil, producing steam. The steam is directly used to drive a turbine, after which the steam is cooled in a condenser and converted back to water. This water is then returned to the reactor core, completing the loop. The cooling water is maintained at about 7.5 MPa, or slightly lower, so that it boils in the core at about 285°C. This is fundamentally different from other reactor types which do not use this direct cycle of steam to drive the turbine generators.

22. The basic layout of an ABWR comprises a reactor building, control building and turbine building, the configuration of which is site dependant, however they are located immediately adjacent to each other.

23. The major part of the reactor building is the Reinforced Concrete Containment Vessel (RCCV), which contains the Reactor Pressure Vessel (RPV). The RCCV is a steel lined reinforced concrete structure, cylindrical in nature, 36m tall, 29m in diameter and with 2m thick walls. It has two principal functions, to contain pressure and prevent leakage. The reinforced concrete handles the functions of pressure containment and shielding, and the liner handles the function of leakage prevention.


24. The RCCV is divided into a drywell and a suppression chamber by the diaphragm floor and the RPV pedestal. The suppression chamber contains the suppression pool and an air space. Vapour flows, which could be generated by a Loss of Coolant Accident (LOCA), flow from the drywell space to the suppression pool through horizontal vent pipes embedded into the RPV pedestal, where the steam is condensed.

25. The RPV is a cylindrical steel vessel that contains the core and reactor internals. The RPV consists of a removable hemispherical top head, cylindrical shells, a bottom head, and some nozzles. The RPV is installed vertically on the pedestal inside the containment building. The RPV is around 21 metres in height, 7.4 metres in diameter and with a steel wall thickness of around 17 centimetres. The RPV functions as the pressure retaining barrier to retain light water coolant and as the barrier to isolate radioactive material generated in the core from outside the RPV. The vessel contains the core, steam separator, steam dryer, reactor internal pumps and the control rod arrangements. .

26. The reactor core is an upright cylinder containing 872 fuel assemblies. A fuel assembly has a square array of fuel rods and a hollow pipe (water rod), where water coolant flows. Fuel assemblies are placed inside a zircaloy channel box. Its functions include forming the coolant flow path and guiding the insertion and withdrawal of control rods between fuel assemblies. Each fuel rod is made out of Uranium Dioxide (UO2) pellets with less than 5wt% Uranium-235 enrichment and a Zircaloy-2 cladding tube; both ends of which have plugs welded on. Its plenum is filled with Helium gas. At the end of a fuel cycle, the spent fuel will contain radioactive fission products which remain confined inside the cladding.

27. The control rods are cruciform and are inserted between every 4 fuel assembles. They perform the twin functions of power distribution shaping and reactivity control. The control rods enter the vessel through the bottom dome and are inserted under either electric or hydraulic power.

6.2 SAFETY SYSTEMS

28. During normal operation, steam generated at the reactor is transferred to the turbine facility via four main steam pipes. In order to prevent overpressure of the reactor following a transient in operation or an accident, steam inside the reactor is discharged into the suppression pool by the relief valve function or the safety valve function of the Safety Relief Valves (SRVs). Main steam isolation valves are arranged in pairs (either side of the containment wall) to isolate the reactor in case of fuel failure, Main Steam Line Break Accident (MSLBA) or LOCAs.

29. The ABWR also has a standby liquid control system which acts as a second line of criticality control. If required it can inject borated water directly into the RPV, which will bring the core to a sub-critical state and maintain it as it cools.

30. The ABWR safety systems include three independent divisions of Emergency Core Cooling Systems (ECCS). Each division of the ECCS has one high pressure and one low pressure make-up system. Two of the three pumps for the high pressure system are electrically driven and one is steam driven whereas for the low pressure system all three are electrically driven and these low pressure pumps also perform the residual heat removal function. For the high pressure system the choice of whether to use steam or electrically driven pumps is dependent on the accident transient. Heat is removed from the reactor during normal shutdown, reactor isolation or loss of cooling accidents via the residual heat removal system. Three individual cooling loops are available with heat exchanges cooled via the reactor cooling water system. There are also diverse pressure control and emergency cooling systems located in the back-building.


31. The primary volume of the RCCV is maintained in an inert state by the use of a nitrogen atmosphere, which reduces the likelihood of a combustion if a leak of hydrogen occurs. In addition, there is a flammability control system which uses hydrogen recombiners to control the build up of a mixture of hydrogen and oxygen in the RCCV should a LOCA occur.

32. In the event of a loss of off-site electrical power the ABWR has three independent emergency diesel generators to provide power to the essential safety systems. It also has two additional back-up diesel generators supporting a diverse electrical power supply system in the back-up building located away from the main reactor, control and turbine buildings.

33. Fuel is inserted and removed from the RPV via the fuelling machine which is located on the operating floor. Spent fuel is placed in the spent fuel pool immediately after removal from the RPV and kept there until it has cooled sufficiently to allow placement into fuel casks. The casks are loaded at the operating floor level and lowered to ground level before dispatch.

7 OVERSEAS REGUALTORS’ ASSESSMENTS

34. ONR’s GDA programme has a strategy for working with overseas regulators on the design assessment of the UK ABWR (Ref. 3), which highlights the benefits as being access to independent analyses and audits, sharing of technical opinion, early advice on construction issues and promotion of a more consistent and harmonised international approach. Our guidance and strategy also explains why ONR needs to conduct its own assessments and the factors that we consider when considering the extent to which ONR can take overseas regulatory assessment into account, including the date and assessment and its continued validity, the level of detail and purpose of the assessments, and whether a demonstration can be made satisfying the UK legal requirement that risks have been reduced to as low as is reasonably practicable.

35. ABWR reactors have been operational in Japan since 1996, and additional reactors are being constructed in Japan. Furthermore, following the events at Fukushima in 2011, all nuclear power reactors in Japan are subject to relicensing against new regulatory requirements. The ABWR design also received design certification from the US Nuclear Regulatory Commission (NRC) in 1997, which expired in 2012, and is currently undergoing design certification renewal. This operational history should provide opportunities for ONR to benefit from overseas regulatory work.

36. Our activity during Step 2 has included the sharing of technical assessments and opinions with both the Japan Nuclear Regulatory Authority and the US NRC, and the chairing of the ABWR Working Group within the Multinational Design Evaluation Programme (MDEP). MDEP is ONR’s principal forum for the exchange of safety review information between the regulators of the relevant countries. So far, one meeting (January 2014) of the working group has been held of the working group, where the objectives of the working group were agreed as:

To leverage resources and ensure that the ABWR design reviews remain safety-focused.

To exchange information about their safety reviews in the areas of Fukushima lessons learned enhancements, instrumentation and control, severe accidents, probabilistic risk assessment, radiation protection, design basis accidents and safety system diversification, taking into account design differences among countries and differences in licensing processes.

37. During this first meeting of the MDEP ABWR working group, it was established that in parallel to GDA, the US NRC are currently working on the Design Certification Renewal for GE-Hitachi’s ABWR, Toshiba’s ABWR and the review of South Texas


Project’s (Toshiba’s 1300MWe approx ABWR) application for a Combined Operating Licence (COL). During the MDEP meeting it also emerged that GE-Hitachi had advised NRC that their ABWR Design Certification renewal work in certain significant topic areas (to address items raised by NRC as requiring further consideration by the Applicant) such as Probabilistic Safety Analysis (PSA) would be dependent on the schedule of work from MDEP and the UK GDA process. Both ONR and NRC consider this an excellent opportunity for future cooperation and joint work.

38. In May 2014 a bilateral information exchange was undertaken between ONR and the US NRC to discuss in detail their review of GE-Hitachi’s ABWR, with a focus on NRC’s PSA evaluation. During the meeting NRC provided very useful presentations containing a large amount of information relevant to ONR. We will continue our engagements throughout the GDA process.

8 GDA COMMENTS PROCESS

39. ONR’s mission includes “….holding the industry to account on behalf of the public”, and we place great importance on being open and transparent to ensure the public is informed of our work and our regulatory decisions, which we believe will in turn improve and maintain their trust. Within GDA ONR does this by publishing all of its reports, statements and guidance on the joint regulators GDA website, which includes a GDA electronic bulletin.

40. ONR requires Hitachi-GE to publish technical information on their reactor design, including safety case documentation. Hitachi-GE’s website went live on January 6th 2014, and includes a GDA comments process, which enables members of the public to view and comment on the design and safety case information.

41. So far (to July 2014) 25 comments have been posed on Hitachi-GE’s website, which is significantly more than at the same stage of the earlier GDAs. Of the 25:

9 comments relate to technical aspects of GDA or nuclear site licensing.

2 comments relate to the GDA process.

6 comments relate to Government policy.

8 comments are categorised as ‘other’ and do not directly relate to the reactor design, GDA, site licensing or policy.

42. All of the comments have been addressed either by the RP, the Department of Energy and Climate Change (DECC) and the regulators as appropriate.

43. In June 2014 the regulators published a stakeholder engagement plan which describes further our work in this area, and builds on the lessons learned from the earlier GDAs of the UK EPR and AP1000.


9 SUMMARY OF ONR FINDINGS

9.1 ENGINEERING DISCIPLINES

9.1.1 STRUCTURAL INTEGRITY

44. For structural integrity, safety claims are based on the identification of the integrity level required for a component or structure, to support the overall safety case for the reactor. Of particular importance is the identification of those components which form a principal means of ensuring nuclear safety, and where the safety case claims that the likelihood of gross failure is so low that the consequences of gross failure can be discounted from the safety analysis. This has been the focus of the Step 2 assessment. ONR has also considered the through-life degradation mechanisms that could potentially affect a UK ABWR, as an implicit structural integrity claim will be related to the 60 year design life of the plant.

45. ONR’s assessment has been based on Hitachi-GE’s Preliminary Safety Report (PSR) and its references relevant to structural integrity. Hitachi-GE’s PSR is summarised as providing:

The basis for the structural integrity classification process, including the identification of the components needing a highest reliability claim.

The approach to providing a ‘beyond design code’ compliance justification to support a highest reliability claim.

The basis for an avoidance of fracture justification, bringing together material properties, fracture analysis and qualified manufacturing inspections.

An overview on the approach to mitigating the threat from the stress corrosion cracking degradation mechanism.

Design summaries for the main components in the reactor circuit.

46. ONR’s assessment has identified the following areas of strength related to structural integrity:

Hitachi-GE has adopted an approach to structural integrity classification that identifies the integrity claims needed to support the overall safety case.

Hitachi-GE has adopted approach to systematically identifying those components requiring a claim that the likelihood of gross failure is so low that it can be discounted.

The beyond design code compliance justification proposed by the RP, using an avoidance of fracture demonstration for the highest reliability components, appears consistent with ONR’s expectations.

A multi-faceted approach is being taken to mitigate the threat from the stress corrosion cracking degradation mechanism.

The design summaries show that the main components of the reactor are generally of a conventional nature, which gives confidence that their integrity claims will be justifiable.

47. During Step 2 ONR has raised Regulatory Observations in the following four areas to aid Hitachi-GE in meeting regulatory expectations during Step 3 and Step 4 of GDA:

Avoidance of fracture – Margins based on the size of crack-like defects.

Control rod drive penetration design.

Reactor pressure vessel design (use of forgings and plate materials).


Material/forging/weld/clad specifications for the reactor pressure vessel pressure boundary.

48. ONR has identified the following areas for follow-up during Step 3:

Sufficiency of claims for the balance of plant safety case i.e. the reactor circuit downstream of the Main Steam Isolation Valves.

Provision of a material selection justification taking into account UK ABWR specific water chemistry.

Optimised material choice for the Reactor Water Clean Up System.

The potential for chloride ingress, including protection measures and consequences, in the safety case.

49. In summary ONR are satisfied with the submissions made by Hitachi-GE in Step 2 in the area of Structural Integrity and can see no reason, why the UK ABWR should not proceed to Step 3 of the GDA process.

9.1.2 CIVIL ENGINEERING / EXTERNAL HAZARDS

50. For civil engineering, safety claims are interpreted as being that the design and construction of the plant is such that the relevant buildings and structures:

Support Structures, Systems and Components (SSCs) that deliver safety functions for design basis loads.

Maintain appropriate environmental conditions inside buildings appropriate for SSCs.

Protect SSCs that deliver safety functions from design basis external hazards, natural phenomena, human induced events and internal hazards.

Contain radioactive material and potential release to the environment.

Provide radiation shielding where required.

Maintain their required functions during normal and fault conditions.

51. For external hazards the safety claims are that hazards will be:

Fully identified based on reference sources.

Categorised and screened.

Appropriately considered in sequence and combination.

Used to derive design basis loads.

52. ONR’s assessment has been based onHitachi-GE’s Preliminary Safety Report (PSR) and its references relevant to Civil Engineering and External Hazards.

53. Hitachi-GE’s preliminary safety case claims related to civil engineering and external hazards is summarised as follows:

Identification, screening and evaluation of hazards, and the development of the design basis.

Definition of the Generic Site Envelope.

Identification of safety requirements, categorisation and classification.

Identification of seismic categorisation.

Adoption of internationally recognised and accepted design codes and standards.


54. ONR’s assessment has identified the following areas of strength related to civil engineering and external hazards:

Clearly defined categorisation and classification of structures.

Adoption of internationally recognised and accepted design codes and standards.

Engagement at an early stage with the representatives from the civil designers and constructors.

Consideration of construction and decommissioning at the design stage.

Application of experience from previous projects.

55. ONR has identified the following areas that require follow-up in the area of civil engineering and external hazards:

Generic Site Envelope with respect to external hazards.

Aircraft impact protection shell design.

Design of the Radwaste building, back-up building and condensate storage tank.

The interface with the conventional health and safety topic area.

56. In summary ONR are satisfied with the submissions made by Hitachi-GE in Step 2 in the area of civil engineering and external hazards and can see no reason why the UK ABWR should not proceed to Step 3 of the GDA process.

9.1.3 INTERNAL HAZARDS

57. For internal hazards, safety claims are interpreted as being specific and measurable statements about the design features, which prevent or limit the severity and consequences of internal hazards on Structures, Systems and Components (SSCs) important in the delivery of safety functions and when implemented will demonstrate that the threats from internal hazards are either removed, tolerated or minimised.

58. The RP’s claims on internal hazards, as presented in the PSR and supporting documents, can be summarised as follows:

Internal hazards do not compromise the control of core reactivity or the removal of heat from the core and spent fuel pond, and will not result in uncontrolled dispersion of radioactivity or the uncontrolled exposure of plant personnel or the public to radiation from any source.

The three divisions of safety systems in the UK ABWR means that many of the hazards are mitigated by divisional segregation of safety components, provided that barriers between divisions are not breached.

Barriers which support the above claim have been identified for the Reactor Building and Control Building.

59. ONR has concluded that the passive claim on safety barriers is reasonable and is in line with regulatory expectations. However, this single claim may not be suitable for those areas of the UK ABWR design where there is a lack of segregation of SSCs (such as inside Primary Containment and Main Steam tunnel), and it is not sufficient to demonstrate that the risks from internal hazards have been reduced to ALARP.

60. ONR’s assessment of the UK ABWR aspects of the safety case related to internal hazards has identified the following areas of strength:


Hitachi-GE has adopted a reasonable approach for the internal hazards analysis, involving the identification of internal hazards, identification of SSCs that are required to deliver the safety functions, and evaluation of how these SSCs are protected against the internal hazards.

Hitachi-GE has developed and adopted an approach to identify the claims made on safety barriers.

Hitachi-GE has demonstrated a high level of commitment in delivering complex studies involving different engineering disciplines within a short period of time, to support the claims on safety barriers made within the PSR.

61. ONR has identified the following areas that require follow-up in relation to internal hazards:

Suitable and sufficient claims against all applicable internal hazards, including coincident, combined and consequential events, to demonstrate that the risks from internal hazards have been reduced to ALARP. This should cover all relevant buildings and areas where exceptions to segregation of SSCs by safety barriers exist, and for all plant conditions. An appropriate level of defence in depth should be demonstrated.

The structure and contents of the PCSR including the route-map of the various supporting documents, demonstrating that the PCSR is accurate and demonstrably complete for its intended purpose.

The plant layout provisions in place including redundancy, diversity and segregation of SSCs against internal hazards.

The justification of the design provisions and the safety case being made against internal hazards for the following areas:

Emergency Diesel Generators (EDGs) and associated day tanks in the Reactor Building.

Single doors on Class 1 safety barriers separating safety divisions.

The Main Steam tunnel.

The analysis methodologies for all internal hazards.

The RP’s capability and capacity in internal hazards to enable the delivery of a PCSR that meets UK regulatory expectations.

62. In summary ONR are satisfied with the submissions made by Hitachi-GE in Step 2 for internal hazards and can see no reason why the UK ABWR should not proceed to Step 3 of the GDA process.

9.1.4 MECHANICAL ENGINEERING

63. For mechanical engineering safety claims are interpreted as being the ability of a Structure, System or Component (SSC) to deliver its safety function during normal operations (including for shutdown), fault sequences and accident conditions, with adequate consideration of the following characteristics:

Inherent safety – hazard avoidance in preference to hazard control.

Fault tolerance – sensitivity to potential faults to be minimised.

Defence in depth – provision of adequate levels of protection.

Safety function – structured fault analysis undertaken for both normal operation (including shutdown), and fault sequences.

64. ONR’s assessment has been based on Hitachi-GE’s Preliminary Safety Report (PSR) and its references relevant to Mechanical Engineering. These documents provide high


level claims relating to the mechanical engineering aspects of SSCs for the safety functions of:

Reactivity control.

Heat transfer and removal.

Confinement of radioactive substances.

65. ONR’s assessment has identified the following areas of strength related to mechanical engineering

Hitachi-GE has in place appropriate arrangements to define functional, reliability and performance claims.

Hitachi-GE’s categorisation and classification arrangement is broadly aligned to expectations for mechanical engineering SSCs.

Hitachi-GE’s Step 2 submission appropriately sets out codes and standards for the principal mechanical engineering equipment, although some clarification of the approach for certain specialised components is required.

Hitachi-GE has provided an adequate level of assurance associated with its operational experience arrangements at an organisational level.

Hitachi-GE has provided a level of assurance that Examination Inspection Maintenance and Test (EIMT) is appropriately considered as part of its design process.

66. ONR recognises and accepts that Hitachi-GE’s safety case needs to be developed in many areas in order to provide the arguments and evidence to support the claims related to mechanical engineering, however the following areas are specifically noted for follow-up during Step 3:

That the nuclear ventilation system designs are aligned to UK codes, standards and relevant good practice (RGP).

That SSCs’ design, qualification, reliability, maintainability and associated operational experience justify that risks have been reduced to ALARP.

That Hitachi-GE adopts a robust, auditable design process with arrangements that set out design principles, rules, and selection criteria for all SSCs.

That SSCs’ qualification is aligned with the 60 year design life claim, or that the building layout and access provisions are adequate to support replacement.

That SSC isolation and configuration for EIMT are aligned with UK RGP, and that risks are reduced to ALARP.

That SSCs’ reliabilities are aligned with the output of the UK ABWR deterministic and probabilistic safety analyses.

That the design processes adequately consider operational experience at an SSC level.

67. To capture the above ONR will issue four Regulatory Observations in the area of mechanical engineering.

68. In summary ONR is satisfied with the submissions made by Hitachi-GE in Step 2 in the area of mechanical engineering, and can see no reason why the UK ABWR should not proceed to Step 3 of the GDA process.


9.1.5 CONVENTIONAL FIRE

69. For Conventional Fire Safety (CFS), ‘UK regulatory expectations’ are interpreted as being the design principles contained in the appropriate national standards, and good practice ‘standards’ developed by industry for the design and management of buildings. For Step 2 this has been:

The Regulatory Reform (Fire Safety) Order 2005 and supporting fire risk assessment guidance documents.

Relevant building design codes of practice including Approved Document ‘B’ to the Building Regulations, British Standard 9999 and British Standard 7974 and other British Standards as appropriate.

70. The RP’s preliminary safety case approach to CFS is summarised as follows:

To comply with UK guidance and standards of fire safety (mainly BS 9999) in building design as far as is reasonably practicable.

Identify departures in the ABWR design from UK fire safety expectations due to nuclear safety requirements and other design features.

An equivalent level of fire safety for departures from established building codes will be achieved through a process of optioneering and selection based on a robust ALARP justification.

71. ONR has identified the following areas of strength in relation to CFS:

The PSR document clearly identifies relevant UK legislative requirements, and makes reference to the appropriate guidance and relevant good practice which forms the benchmark for assessing compliance with the law. A good understanding of the largely functional requirements of the legislation and guidance is evident. It is also positive that Hitachi-GE has identified at an early stage that there will be areas where adherence to the prescriptive sections of guidance that will be challenging. Hitachi-GE has also agreed to adopt a risk assessed process of optioneering with ALARP justification, which helps to ensure that risk gaps are minimised.

72. ONR has identified the following areas that require follow-up in relation to CFS:

Although Hitachi-GE has documented the process for resolving areas of departure from UK fire safety expectations, there is an absence of detail in the methodology that will be used, and this requires further development. A documented strategy for recording and managing the process of departures, optioneering and ALARP justification is required. The absence of this detail in Step 2 is not critical, but the departure management strategy should be progressed early within Step 3.

73. ONR is satisfied with the submissions made by Hitachi-GE in Step 2 in the area of CFS and can see no reason why the UK ABWR should not proceed to Step 3 of the GDA process.

9.1.6 CONVENTIONAL SAFETY

74. Conventional health and safety (CHS) is an area that ONR focuses on more rigorously during the construction and operation phases of nuclear installations. ONR’s focus during design is to ensure that decisions are informed by CHS legislation, to increase the likelihood of compliance.


75. During Step 2 ONR has engaged with Hitachi-GE and formed a view on their awareness of CHS and the acceptability of the ABWR design against the relevant legislation.

76. Hitachi-GE’s preliminary safety case approach to CHS is summarised as follows:

The Preliminary Safety Report (PSR) provides clear direction, details relevant statutory requirements, and offers a generic template for adaptation of Hitachi-GE’s existing Japanese design processes and outcomes to meet UK legal standards.

Within the PSR Hitachi-GE recognises its role as designer and acknowledges the UK Construction (Design and Management) Regulations 2007 implications of this.

Hitachi-GE also recognises that the hazard identification and risk assessment procedures are pivotal in the design process, to eliminate or reduce the health and safety risks so far as is reasonably practicable.

77. ONR considers it an area of strength that Hitachi-GE has recognised the benefits of integrating UK CHS requirements into its design processes early on in the GDA process. In addition, ONR judge that Hitachi-GE has an understanding of the full breadth of legislation it is required to adhere to.

78. ONR has not identified any specific areas for follow up in Step 3; the focus will be on Hitachi-GE’s application of the revised design processes and on their detailed understanding of the UK legislative requirements.

79. Overall, ONR can see no reason, on CHS grounds, why the UK ABWR should not proceed to Step 3 of the GDA process.

9.2 SCIENCE DISCIPLINES

9.2.1 FAULT STUDIES

80. The focus of the fault studies assessment is on design basis analysis (DBA). ONR’s Safety Assessment Principles defines DBA as a robust demonstration of the fault tolerance of the facility, and of the effectiveness of its safety measures. Its principal aims are to guide the engineering requirements of the design, including modifications, and to determine limits to safe operation, so that safety functions can be delivered reliably during all modes of operation and under reasonably foreseeable faults. In DBA, any uncertainties in the fault progression and consequence analyses are addressed by the use of appropriate conservatism. In this approach, risk is not quantified, but the adequacy of the design and the suitability and sufficiency of the safety measures are assessed against deterministic targets. Fault studies also cover beyond the design basis, severe accidents and probabilistic safety analysis, and these topics are covered under the PSA topic for Step 2. For Steps 3 and 4 each of these topics will be covered separately.

81. Step 2 of ONR’s assessment for fault studies covers the DBA claims, and for the UK ABWR these are:

Design basis analysis (DBA) has shown that the engineering design of the UK ABWR is fault tolerant and has effective safety measures.

Initiating faults included within the DBA are identified, with a commitment to extend the list of faults as appropriate to meet UK expectations.

DBA fault sequences are established for the initiating faults within the design basis.


DBA has shown that all considered fault sequences clearly meet identified and justified acceptance criteria, including ONR’s design basis radiological consequence targets.

82. ONR’s assessment of this topic has been based on the sections of Hitachi-GE’s Preliminary Safety Report (PSR) relevant to fault studies. In addition to making positive assertions against safety claims described above for design basis reactor faults, the PSR also states that future analysis will demonstrate the robustness of the UK ABWR design to very unlikely ‘beyond design basis’ faults and faults occurring in the spent fuel pool.

83. During ONR’s assessment of the UK ABWR aspects of the safety case related to fault studies the following have been identified as areas of strength:

Hitachi-GE has demonstrated that its approach to analysing design basis faults is consistent with UK and international relevant good practice.

Hitachi-GE proposes to use established computer codes to model design basis fault sequences. The suitability of these codes has previously been accepted for licensing boiling water reactors by nuclear regulators in Japan and the USA.

Analysis of the design basis faults considered as part of the licensing of Japanese ABWRs, shows that acceptance criteria (which limit the radiological consequences resulting from a fault) are consistently met.

Hitachi-GE has set out proposals for summarising its safety case in a thorough and logical ‘fault schedule’.

84. ONR have identified the following aspects of the UK ABWR safety case related to fault studies that require follow-up during GDA Step 3:

Hitachi-GE will be expected to extend the list of design basis events it considers in its safety case. The list should include faults occurring during low power operation and shutdown, faults associated with essential services and support systems (for example electrical power supplies and cooling water systems), frequent events with a coincident common cause failure of a major safety system, and faults associated with fuel route operations. To ensure that these gaps in ONR’s expectations are addressed in a systematic manner and to provide additional guidance to the RP, ONR have raised five Regulatory Observations on these topics. Hitachi-GE’s responses to these Regulatory Observations will be a major assessment task for ONR in the subsequent steps of GDA.

Hitachi-GE will be expected to submit to ONR UK ABWR specific analysis for the complete list of design basis events, using the codes and methods it has described in the PSR. This analysis, along with supporting information to demonstrate the validity of the methods employed, will be a major assessment task for ONR in the subsequent steps of GDA.

Hitachi-GE has proposed to complement the safety provisions of the ‘standard’ ABWR reactor design with a segregated back-up building. The design and the safety functions to be delivered by this building have yet to be fully defined. Consideration of the design and the safety claims on the back-up building will be a key assessment task for ONR in the subsequent steps of GDA.

85. ONR have concluded that on the topic of design basis analysis, Hitachi-GE has established that the fundamental safety claims are consistent with UK relevant good practice. We therefore judge that there is no reason why the UK ABWR should not proceed to Step 3 of the GDA process.


9.2.2 FUEL AND CORE

86. This section is on the topic of ONR’s assessment of the design of the reactor fuel and its use under normal and fault conditions in the reactor core. ONR’s interpretation of the safety claims are as follows:

The fuel is designed and operated to comply with a set of functional requirements, and that safety limits constrain plant operation so that release of radioactive materials remains within acceptable limits.

High quality and proven design and production processes will reduce the incidence of fuel failures in normal operation.

The resilience of fuel in faults is assured by analysis of postulated faults against a defined set of fuel design criteria.

87. ONR’s assessment focussed on Hitachi-GE’s Preliminary Safety Report (PSR) and its references relevant to Fuel and Core. The work reported in the PSR and its references can be summarised as follows:

Control of core reactivity enables the safe shutdown of the reactor under all circumstances.

Removal of heat produced in the fuel via the coolant fluid can occur in normal operation and reasonably foreseeable faults (i.e. within the design basis).

Containment of radioactive substances inside the fuel clad will occur in frequent faults and fuel will retain geometry capable of being cooled for all reasonably foreseeable faults.

88. ONR’s assessment has identified the following areas of strength for the topic of fuel and core:

Hitachi-GE has achieved excellent fuel performance in existing ABWR plant during normal operation, and ONR judges that this can be translated to the irradiation conditions proposed for the UK, although this will need to be demonstrated.

The fuel design limits proposed are in line with ONR’s regulatory expectations. Analysis presented by Hitachi-GE shows that the design has a good prospect of demonstrating substantial resistance to damage in loss-of-coolant accidents.

The systematic demonstration of resistance to stresses induced by power changes is a particular regulatory expectation in the UK. In the case of the proposed fuel, this is enhanced by the addition of a soft, pure zirconium liner on the inside of the clad, and ONR are satisfied that satisfactory arguments can be made to support the claim of fuel integrity in frequent faults.

The modelling of fuel performance has yet to be reported in detail, but based on the material presented to date; ONR expects it to be in line with regulatory expectations.

89. ONR have identified the following areas that require follow-up for the fuel and core topic:

A formal justification will be needed to demonstrate that no fuel failures are expected in normal operation and anticipated frequent faults, including adequate allowances for foreseeable fuel degradation mechanisms.

The distortion of fuel channel has been noted to increase with increasing assembly irradiations, with potentially adverse affects on safety margins. Surveillance and operational constraints are currently used to manage fuel channel distortion. A detailed justification of the adequacy of these measures will be required.


The fuel irradiation proposed is higher than that currently practiced in the UK and Japan, and is achieved by adopting a highly optimised fuel-to-moderator ratio. In this situation, the core response to pressure transients can increase the risk of significant short term power transients (including clad dryout) unless the design provides adequate safety margins. The core kinetic response will require a detailed examination to confirm the adequacy of its safety margins.

The modelling practices, codes and methods will require additional work, including substantiation of safety margins in the context of established levels of uncertainty. To assist ONR’s assessment process they have commissioned some independent confirmatory analysis.

A set of safety limits needs to be developed to ensure acceptable clad integrity in interim storage, taking into account proposed fuel irradiations and all degradation mechanisms.

90. On the topic of fuel and core ONR have concluded that the safety claims have been established and are judged to be consistent with their regulatory expectations. ONR have also indentified areas of further work for Hitachi-GE to produce the arguments and evidence to justify its claims for fuel and core during Steps 3 and 4 of GDA. ONR have reached the conclusion that on the topic of fuel and core there is no impediment to proceeding to Step 3 of GDA.

9.2.3 CONTROL AND INSTRUMENTATION (C&I)

91. Control and instrumentation systems are used throughout all parts of the UK ABWR for a wide range of normal and safety functions. The safety claims examined by ONR in Step 2 relate to the adequacy of the architecture of the C&I systems to perform their functions against the design basis, beyond design basis, severe accidents and probabilistic claims made against them. In addition ONR assesses whether these systems meet the expectations of the appropriate standards and guidance, and the established relevant good practice.

92. ONR’s assessment focussed on Hitachi-GE’s Preliminary Safety Report (PSR) and its references relevant to C&I, and can be summarised as follows:

The C&I systems are classified in accordance with the functions they perform and their safety significance.

High-level design principles of segregation, independence, diversity, defence against common cause failures and defence in depth are applied to the design of the C&I systems.

C&I systems are designed to comply with relevant codes and standards.

93. During the early stages of ONR’s assessment, a potential shortfall in the diversity between the safety system and logic control (SSLC) platform technology and other control systems was identified as a regulatory concern. Following extensive engagement with the RP, it has committed to modify the technology of the SSLC to be diverse from other control systems for the UK ABWR. It has also agreed to enhance the isolation of its SSLC from the other control systems, and also to provide additional isolation of the plant computer control system from more general nuclear power station computer networks through the use of one way data diodes.

94. ONR have identified the following areas of strength on the topic of C&I:

Hitachi-GE has an adequate process in place to identify faults and classify the C&I systems that are required to support its claim relating to the overall safety of the UK ABWR.

Following the agreed changes to the technology of the SSLC and enhanced isolation, the high-level design of the C&I architecture appears to follow relevant


good practice, having three diverse, independent and separate C&I platforms, which deliver primary and secondary protection and control functions.

95. ONR are satisfied that the high-level claims made by Hitachi-GE are reasonable, complete, and can be adequately underpinned with sufficient arguments and robust evidence in future safety submissions.

96. ONR have identified the following areas that require follow-up in the C&I area in subsequent GDA steps:

The demonstration of adequate ‘production excellence’ of the SSLC design.

The design and development of this system to support its classification (Class 1) requirements will require ‘production excellence’ processes proportionate with its classification. Specifically Hitachi-GE will be expected to fully develop its processes for complex components such as Field Programmable Gate Arrays (FPGA), which are planned to be used in this system.

Independence of design teams for C&I platforms.

To support the development of the SSLC design it is essential for the design team to be independent from teams who are developing the design of other protection and control systems. Hitachi-GE has not yet demonstrated that independent teams are in place to deliver this expectation.

Hardwired system.

The standard ABWR has a hardwired system is based on non-programmable technology, which is made up of a number of separate subsystems. For Hitachi-GE to demonstrate that this system is adequate and resilient to systematic faults, it should be designed as a single coordinated system. ONR also expects its functionality to be extended, particularly in the area of the ECCS and potentially the spent fuel pool. Hitachi-GE will be expected to provide more information during Step 3 to describe the complete hardwired design.

97. During step 3 of GDA ONR will be examining the above areas in greater detail and will be raising the following ROs based on the Step 2 assessment:

Production excellence of FPGA based Primary Protection System.

Independence of design teams for C & I platforms.

Secondary Protection System design.

98. For Step 2 Hitachi-GE has shown that it understands the need to improve its C&I architecture, and has already proposed major changes that will enhance the independence of the three main C&I systems specified for the UK ABWR. ONR judges that there are no reasons, on Control and Instrumentation grounds, why the UK ABWR should not proceed to Step 3 of the GDA process.

9.2.4 ELECTRICAL ENGINEERING

99. For the electrical systems, Hitachi-GE has stated a set of high level safety claims, which demonstrate that the electrical systems system support the functional safety systems of the plant, by having the capability through defence in depth to withstand a wide range of internal and external events throughout its operational life.

100. ONR’s electrical engineering assessment has been based on Hitachi-GE’s PSRand its references relevant to electrical systems and can be summarised as follows:

The electrical systems are designed so that the safety of reactor facilities is maintained, by ensuring continuity of electrical power supplies regardless of transient disturbances and faults during operation.


The electrical systems are designed so that in the event of loss of all AC power the reactor can be shut down safely.

The safety class 1 on-site power sources have redundancy, are physically separated and are independent from each other.

101. ONR have identified the following areas of strength on the topic of electrical engineering:

Hitachi-GE has presented a hierarchical structure of safety claims for the electrical systems based on a series of key safety claims, which provides confidence that this can be developed to form the structure of a complete safety case.

The structure of the AC distribution network meets ONR’s regulatory expectations for separation of supplies.

102. ONR have identified the following areas that require follow-up in electrical engineering in subsequent GDA steps:

ROs covering common cause failure, loss of offsite power and analysis of failures of essential services will be followed up in conjunction with fault studies assessment.

The measures proposed by Hitachi-GE to achieve diversity between the electrical systems in the back up building and the reactor building.

Safety classification of electrical equipment.

103. ONR judges that the safety claims on the electrical system are consistent with UK relevant good practice and therefore there are no reasons why the UK ABWR should not proceed to Step 3 of the GDA process.

9.2.5 SECURITY

104. The primary focus of the engagement during Step 2 was to ensure that Hitachi-GE had a clear understanding of ONR’s expectations for submissions relating to security, and the methodology required to undertake Vital Area Identification work.

105. Throughout Step 2, ONR have focused on the protection of Sensitive Nuclear Information (SNI), and wider personnel and information security, to ensure that Hitachi-GE has the necessary security arrangements in place to comply with the requirements detailed in the HMG Security Policy Framework, and UK legislation.

106. A key outcome of Step 2 in the security area was Hitachi-GE’s development of a framework to allow Vital Area Identification (VAI) to be undertaken using the UK Design Basis Threat (DBT), referred to as the Nuclear Industries Malicious Capabilities (Planning) Assumptions (NIMCA). The document bears a national caveat and cannot be released to non-UK citizens. ONR have started assessing Hitachi-GE’s methodology for Vital Area Identification to ensure that a robust approach will be adopted during GDA Steps 3 and 4, which can effectively identify those structures, systems and components that need protecting from potential acts of sabotage.

107. ONR judges that there are no reasons, on security grounds, why the UK ABWR should not proceed to Step 3 of the GDA process.

9.3 SCIENCE DISCIPLINES

9.3.1 HUMAN FACTORS


108. Human factors (HF) is the scientific study of human physical and psychological capabilities and limitations, and the application of that knowledge to the design of work systems. Within the nuclear context, HF is concerned with the human contribution to nuclear safety during facility design, construction, commissioning, operation, maintenance and decommissioning, including fault and emergency conditions. ONR requires that a systematic analytical approach be applied to understanding the factors that affect human performance and the human reliability within the context, and a demonstration that the potential for human error to adversely affect nuclear safety is reduced as low as reasonably practicable (ALARP).

109. Step 2 of ONR’s HF assessment has focused on the safety claims, which should cover:

Systematically identified specific human-based safety claims (HBSC) or safety actions that contribute to the support and delivery of nuclear safety functions, together with statements about the feasibility of such actions. This includes identification of human failure events that may impact nuclear safety and risk.

Concept of operations, allocation of function (AoF) between human actuations and automated engineered actuations, procedures and personnel competence that are appropriate for all modes of operations, including fault and emergency response.

Workspaces, interfaces, equipment and task design which are compatible with human characteristics and limitations, accounting for all plant states and conditions.

110. ONR’s assessment of this topic has been based on the sections of Hitachi-GE’s PSR relevant to HF and on Hitachi-GE’s HF integration plan (HFIP) and supporting references. The preliminary HF safety case for the UK ABWR is summarised as follows:

The HF safety claims range from broad system design claims to specific HBSCs, based on the maturity of the design at the end of Step 2. Wide consideration of HF exists within the design on which the UK ABWR is based.

Hitachi-GE has developed a comprehensive HF integration programme to ensure continued, holistic and systematic application of HF throughout GDA.

Advances in automated control and protection have formed the basis of the ABWR and its concept of operations and AoF. Automated systems deliver primary reactor safety functions; automation has been designed to optimise operator workload, reduce human error and ensure compatibility with human characteristics and limitations.

111. ONR’s assessment of the HF aspects of the preliminary safety case has identified the following areas of strength:

The PSR and HFIP provide adequate descriptions of the HF claims and HF integration activities required to meet UK regulatory expectations.

Hitachi-GE has been transparent in identifying shortfalls against modern HF standards, which ONR believe has contributed to the production of a balanced preliminary HF safety case. ONR has not identified any HF claims considered to be unreasonable, such that they would challenge the expectations of the SAPs, or be likely to result in fundamental plant design changes.

The high level HF claims for the design on which the UK ABWR is based seem reasonable, and appear to be supported by an alternative approach to HF integration, where aspects of HF good practice have been encapsulated within Hitachi-GE’s various design processes, standards and specification documents.


The specific HBSCs for the UK ABWR appear typical of those for nuclear power plant.

Hitachi-GE has provided preliminary information to show that the UK ABWR function allocation has incorporated relevant insights from operational experience. Based on the PSR, at this stage of GDA, ONR are confident that Hitachi-GE’s design decisions for AoF and concept of operations follow a balanced approach which considers technical feasibility and what is necessary for safety, human capabilities and limitations.

112. ONR has identified the following areas that require follow-up during Step 3:

ONR has not seen evidence of systematic task-analytical based processes for identifying the factors that influence HBSCs, and for determining the specific level of HF attention given to the baseline ABWR design for all stages of the plant lifecycle and all operational states and conditions. Whilst this does not necessarily invalidate the claims or mean that adequate evidence does not exist; further detailed analyses by HF specialists is required to produce and / or validate such evidence.

The number of specific HBSCs suggests a potentially high human contribution to the overall risk. However, the significance of the human contribution to the overall risk is currently unknown due to the absence of a probabilistic safety analysis (PSA) for the UK ABWR. This needs to be explicitly analysed by the RP, taking into account developments in other areas (such as internal and externals hazards and severe accident analysis (SAA) etc), and the risk from human failures demonstrated to be ALARP. The absence of a UK ABWR full scope PSA (and supporting analyses) presents a significant project risk to overall completion of ONR’s HF assessment.

Evaluation is needed of the full implementation of Hitachi-GE’s HF organisation in response to the RO on HF Specialist Resource and Organisation issued by ONR during step 2.

There will need to be a review of the adequacy and independence of Hitachi-GE’s HF quality assurance and peer review.

Detailed assessment of Allocation of Function and concept of operations is required.

Appraisal will be required of RP’s responses to the RQs on human reliability analysis issued by ONR during step 2.

113. Overall, ONR judge the preliminary HF safety case for the UK ABWR to be adequate and there are no reasons why the UK ABWR should not proceed to Step 3 of the GDA process.

9.3.2 MANAGEMENT FOR SAFETY

114. The Step 2 assessment of the management of safety and quality assurance (MSQA) arrangements put in place by Hitachi-GE was undertaken jointly by ONR and the Environment Agency.

115. During step 2 ONR and EA judged Hitachi-GE’s management system arrangements against the requirements of international quality management system standards, and their ability to fulfil the regulatory expectations expressed in the regulators’ GDA guidance documents.

116. ONR’s and EA’s assessment has been based on the management system documentation submitted by the RP, and an inspection at Hitachi-GE’s offices in Hitachi City (Hitachi Works), during which ONR and EA checked the implementation of


the management system arrangements. Hitachi-GE’s management system documentation consisted of:

GDA project plan.

Quality management plan (for UK ABWR GDA project).

Compliance table for regulatory expectations.

GDA specific procedures.

117. During step 2 ONR and EA identified the following areas of strength:

Hitachi-GE has a quality management system which is certificated to ISO 9001:2008, and has developed specific management system arrangements for the GDA project that will control the development, review, independent review and approval of the safety, security and environmental submissions to deliver the regulators’ expectations for GDA. These arrangements were generally of a good standard.

ONR’s and EA’s implementation inspection at the Hitachi Works in Japan concluded that Hitachi-GE has implemented suitable management system arrangements for the GDA project, which based on the sample taken, should ensure that the regulators’ expectations for GDA are fulfilled, and that the safety, security and environmental documentation produced within GDA will be adequately reviewed and independently verified.

ONR’s and EA’s implementation inspection identified 10 areas for improvement; these included process improvements and minor documentation changes. Hitachi-GE has undertaken corrective action and provided evidence which has enabled us to verify that the actions are complete.

118. ONR’s and EA’s assessment of Hitachi-GE’s management arrangements for the UK ABWR GDA has identified the following areas that require follow-up:

An area for improvement found during the regulators’ MSQA inspection related to the recording of nuclear safety and best available techniques (BAT) discussions, and considerations during the design review meetings. Hitachi-GE carried out prompt corrective action and has sent examples of these reviews to demonstrate the effectiveness of the improved process. In Step 3 ONR will continue dialogue with Hitachi-GE to ensure the design reviews adequately record discussions of nuclear safety and BAT.

Hitachi-GE has submitted a matrix to show how the regulators’ expectations for steps 3 and 4 will be met. This will need to be monitored throughout step 3.

119. Overall, ONR and EA see no reason, on MSQA grounds, why the UK ABWR should not proceed to step 3.

9.3.3 PROBABILISTIC SAFETY ANALYSIS AND SEVERE ACCIDENT ANALYSIS

120. Probabilistic Safety Analysis (PSA) is an integrated, structured, logical safety analysis that combines engineering and operational features in a consistent overall framework. It is a quantitative analysis that provides measures of the overall risk to the public that might result from a range of faults (for example, failure of equipment to operate, human errors, or hazards such as fires). PSA enables complex interactions, for example between different systems across the reactor, to be identified and examined and it provides a logical basis for identifying any relative weak points in the proposed reactor design.

121. Severe accidents are those scenarios that involve overheating and degradation of the reactor core or the spent fuel in the spent fuel pool. Severe Accident Analysis (SAA) will then address the progression of such accidental sequences, the phenomena


involved, the engineered features and management strategies in place to mitigate such scenarios, and the potential radioactive releases to the environment from such scenarios. Because of the close connection between the PSA and SAA (SAA being a key input to the PSA), ONR has undertaken the assessment of the two topics jointly during step 2. For steps 3 and 4 both topics will be covered and reported separately.

122. ONR’s PSA and SAA assessments during step 2 have focused on the safety claims put forward by Hitachi-GE in these two areas; these are interpreted by ONR as being specific and supportable statements to show and / or describe:

The PSA results (or surrogates, or qualitative information in the absence of detailed analyses) that represent the risk of the UK ABWR.

That the UK ABWR PSA meets relevant good practice in terms of its validity, scope, technical adequacy and usage to support design and future operation.

The severe accident phenomena that are (or are not) relevant for the UK ABWR, and the progressive challenges to, and failures of, the multiple barriers.

The engineered features, strategies and procedures to deal with severe accident sequences in the UK ABWR, and specific statements of why these reduce the level of risk ALARP.

The potential progression of severe accident sequences in the UK ABWR and the behaviour of fission products in such events.

123. ONR’s assessment has been based on Hitachi-GE’s PSR and some additional, more detailed reports relevant to PSA and SAA submitted by Hitachi-GE . The UK ABWR preliminary safety case aspects related to PSA and SAA, as presented in those documents, is summarised as follows:

The UK ABWR PSA is under development and has not been submitted to ONR in step 2. Hitachi-GE has provided a preliminary bounding estimate for the core damage frequency (CDF) for internal events, and internal fire and flooding. Hitachi-GE has also provided the strategy and high-level programme to develop a modern-standards, full-scope level 1, level 2 and level 3 PSA during GDA. The PSA will inform the demonstration that the level of risk is ALARP and will support the design change decision-making process.

Hitachi-GE has provided high level descriptions of the severe accident phenomena relevant to ABWRs and the expected severe accident progression for the UK ABWR, has proposed severe accident management measures, and presented analyses of selected scenarios. Hitachi-GE will develop further SAA to confirm the capability of the engineered features and measures to deal with severe accident sequences and to support the level 2 PSA. Source term analysis will also be developed and will provide input into the level 3 PSA.

124. ONR’s step 2 assessment of the PSA and SAA aspects of the UK ABWR preliminary safety case has identified the following areas of strength:

Hitachi-GE has started to set up the basis to develop a full scope PSA that will reflect the UK ABWR design. In addition, UK specific parameters and data relevant to the evaluation of accident consequences will be incorporated into the level 3 PSA by using a state of the art computer code. Hitachi-GE will review the PSA to reflect design modifications during GDA. Hitachi-GE has provided a strategy to use this PSA to inform the design process and to inform the demonstration that the level of risk associated with the UK ABWR is ALARP.

The high level description of the severe accident phenomena provided by Hitachi-GE covers key phenomena which are expected to be relevant for boiling water reactors in general. The severe accident progression analyses for the UK


ABWR are being developed using an internationally established computer code.

125. During Step 2 ONR have identified the following areas that require follow-up:

The bounding CDF estimate could result in risk figures that would not meet ONR’s expectations for new reactors when compared against the numerical targets in the SAPs. Although Hitachi-GE has indicated that this evaluation is conservative, the analyses provided are simplified and appear to be incomplete. At this point ONR do not have sufficient information to properly understand the risk profile for the UK ABWR, as this requires a full scope, modern standards PSA.

To clarify regulatory expectations, ONR will issue an RO to request Hitachi-GE to develop a detailed PSA programme and submit the PSA models, data, supporting analysis and accompanying documentation throughout Steps 3 and 4.

During Step 2 Hitachi-GE has committed to providing a full scope, modern standards PSA, and has provided a milestone schedule. This includes providing information regarding the internal events PSA at the beginning of Step 3, and the level 1 and level 2 PSA for internal events during operation at power by the end of 2014; however this will not provide the complete picture of the UK ABWR risk. The remaining parts of the PSA will follow later in GDA, including delivery of the hazards PSA during Step 4.

The timely delivery by Hitachi-GE of the level 1 and level 2 PSA for internal initiating events during operation at power (proposed for December 2014), and the quality of this part of the PSA, will be key to providing ONR with confidence of Hitachi-GE’s ability to deliver a full scope PSA which:

Meets ONR’s expectations.

Provides a clear understanding of the UK ABWR risk.

Supports the demonstration that the level of risk is ALARP.

Should Hitachi-GE not deliver the analyses as per the programme, or the quality be lacking, ONR has additional regulatory options.

The SAA information provided by Hitachi-GE during step 2 is preliminary in nature and more information will be required to provide the basis for a meaningful assessment during steps 3 and 4. For example, the description of the severe accident phenomena is generic, and more detail is required for the proposed engineered features, strategies and procedures for the UK ABWR severe accident management. In addition, the scope of the events covered by the analyses will need to be expanded and documented thoroughly, and fission product behaviour has not been considered at this stage.

Additional information and analysis that Hitachi-GE plans to provide in step 3 should address some of the issues identified and ONR will follow up these matters in step 3. ONR will also consider the need for technical support contractors to undertake independent confirmatory severe accident analyses later in GDA.

126. ONR has identified significant shortcomings in these areas,, and we currently consider these topics a significant risk to the successful completion of GDA. However ONR considers that Hitachi-GE has a credible way forward, and that there is sufficient time within GDA for the analyses required to be completed by the RP. Therefore, ONR judge that there are no reasons, on PSA and SAA grounds, why the UK ABWR should not proceed to step 3 of the GDA process.

9.3.4 RADIOLOGICAL PROTECTION


127. In GDA the technical area of radiological protection covers the measures put in place by Hitachi-GE to restrict, so far as is reasonably practicable, exposure of workers and public to radiation. ONR’s work during Step 2 has focused on the assessment of the key claims in the area of radiological protection; these are interpreted by ONR as being specific statements to demonstrate that the design has been optimised to ensure:

That the quantities of radioactive material generated, especially where these have the ability to contribute to radiation exposure of operators, other workers or other persons on site, from all sources, and members of the public from direct radiation, have been reduced to ALARP.

That doses received by operators, other workers or other persons on site from all sources, and members of the public from direct radiation, have been reduced to ALARP.

128. ONR’s assessment has been based on Hitachi-GE’s PSR and its references relevant to radiological protection. The aspects related to radiological protection in the UK ABWR preliminary safety case are summarised in PSR reports on:

Definition of radioactive sources: this report defines, at a high level, the source terms for UK ABWR in normal operations, during outage and during transport and storage of radioactive items, contaminated items and spent fuel.

Strategy to ensure that exposure is ALARP: this report describes at a high level how aspects of the design, and the approach to proposed operation of the facility, have been optimised to ensure that doses to operators, other workers, or other persons on site from all sources, and members of the public from direct radiation, have been reduced to ALARP.

129. ONR’s Step 2 assessment of the radiological protection aspects of the UK ABWR preliminary safety case has identified the following areas of strength:

The ABWR is a mature design and appears to incorporate a number of improvements which, on the basis of the evidence available at this stage, aim to reduce radiation doses to workers and members of the public through (but not limited to):

Careful materials choices, mainly through the reduction of cobalt (and similar elements susceptible to neutron activation) present in the reactor coolant circuit.

The choice of reactor chemistry regime (the chosen chemistry regime is claimed to minimise the amount of radioactivity within the reactor coolant circuit).

In addition there appears to be body of operational experience which Hitachi-GE is intending to use to support the safety case. If this information can be obtained it should form a useful body of evidence, with appropriate provenance, to assist Hitachi-GE to make suitable arguments to strengthen the UK ABWR safety case.

130. In the area of radiological protection, ONR have identified the following areas that require follow-up:

Further clarification of the source terms to be used as the basis of the UK ABWR safety case (this overlaps with a number of other specialist areas and will involve close ongoing interaction with other technical areas in GDA).

Further development of an understanding of how the chosen chemistry regime will impact upon radiological protection.

Further exploration of the approach taken to radiological zoning and the way it informs and defines the hierarchy of control measures.


Further discussions over the approach taken to the design of radiation shielding.

Further consideration of the radiological protection matters associated with the management of maintenance activities (including outages) and further exploration of radiological aspects specifically related to the boiling water reactor technology.

Additional consideration of the design of the heating, ventilation and air conditioning (HVAC) system and its role in radiological protection.

Further development of an understanding of how the arguments around, and supporting the demonstration of ALARP within the safety case are made.

Clarification on how links to radiological protection within other topic areas e.g. interim spent fuel storage, are covered.

A better understanding of the doses likely to be incurred during decommissioning and an assessment of how they have been reduced ALARP by optimisation of the “design for decommissioning”.

Further exploration of how the contributions made to doses to workers and members of the public resulting from direct radiation from the reactor building, the turbine-hall and the interim storage of spent fuel have been assessed.

131. The reports assessed by ONR during step 2 represent an acceptable basis from which Hitachi-GE will be able to develop a broader and more detailed radiological protection chapter within the PCSR, which will be supported by additional references. Therefore, ONR see no reason, on radiological protection grounds, why the UK ABWR should not proceed to Step 3.

9.3.5 RADIOACTIVE WASTE MANAGEMENT, SPENT FUEL MANAGEMENT AND DECOMMISSIONING

132. ONR’s GDA work in these technical areas covers Hitachi-GE’s proposals for the safe minimisation, handling, storage and disposal of radioactive waste arising from all parts of the power station and the proposals for decommissioning.

133. ONR’s assessment during Step 2 has focused on the key claims put forward by Hitachi-GE in the areas of radioactive waste management, spent fuel management and decommissioning to judge whether they are complete and reasonable. ONR interpret safety claims in these areas as being specific and supportable statements to show:

That the strategies being developed for the management of radioactive waste and spent fuel and for decommissioning are consistent with Government policy, are integrated with other relevant strategies and integrated into the safety case.

That the design ensures that the generation and accumulation of waste, from activation and contamination, are prevented or minimised and that all waste streams have a disposability route.

That the design ensures that radioactive substances will be contained, and the generation of radioactive waste through the spread of contamination by leakage will be prevented in normal operation, fault and accident conditions.

That the anticipated timescales for the management of radioactive wastes and spent fuel, from production to disposal, including potential intermediate steps can be achieved ensuring safety at all times.

That continued safe storage of the radioactive material for the planned storage period can be achieved, ensuring safety at all times, and does not compromise future retrieval and treatment and/or transportation.


That the UK ABWR will incorporate design features to facilitate decommissioning and to reduce dose uptake by decommissioning workers.

A plan for decommissioning that defines the decommissioning end-state for the facility and any interim states, and the ability to achieve these safely.

134. ONR’s assessment has been based on Hitachi-GE’s PSR and its references relevant to radioactive waste management, spent fuel management and decommissioning, which are summarised in PSR reports on:

Radioactive waste management system: this report describes at a high level the key safety claims for solid, liquid and gaseous waste management systems.

Spent fuel interim storage (SFIS): this report describes the high level safety requirements for the SFIS, and the outline process that Hitachi-GE will use for the optioneering for the spent fuel storage concept design.

Decommissioning: this report describes at a high level how the decommissioning principles underpin the design, safety claims, and the outline for decommissioning plans and programme.

135. ONR’s assessment has identified the following areas of strength:

Hitachi-GE is developing strategies for radioactive waste management, spent fuel management and decommissioning for the UK ABWR which appear to be reasonable and adequate in principle. The radioactive waste strategies proposed have been developed for use across the world and are therefore advanced. The spent fuel and decommissioning strategies require more development, but Hitachi-GE has made good progress and has shown awareness of the UK requirements.

All major waste streams have been identified and disposability assessments, where applicable, are being are being discussed.

Designing the UK ABWR to facilitate decommissioning has already resulted in some design changes being proposed by the RP, which is sufficient for Step 2.

136. During Step 2 ONR have identified the following areas that require follow-up:

All wastes such as potentially contaminated oils, and high level waste (e.g. reactor internals), need to be integrated into the relevant strategies, i.e. decommissioning and waste strategies, and proposed facilities i.e. waste processing and storage facilities.

Further development of the safety case for the safe management of spent fuel over the currently anticipated timescales to final disposal is required.

The construction sequence for the UK ABWR needs to be reviewed in terms of its safety impact, if any, on the safe decommissioning of the facility at the end of life.

137. Overall, ONR see no reason, on radioactive waste management, spent fuel management and decommissioning grounds, why the UK ABWR should not proceed to Step 3.

9.3.6 REACTOR CHEMISTRY

138. Reactor chemistry means the influence of coolant chemistry on reactivity, pressure boundary integrity, fuel and core component integrity, radioactive waste generation and radiological doses to workers and the public. In this sense reactor chemistry is a broad topic with close interfaces with several other technical areas in GDA such as structural integrity and radiological protection.


139. During Step 2 ONR’s work has focused on the assessment of the key claims in the area of reactor chemistry; these are interpreted by ONR as being:

Any requirement or constraint placed on the operating chemistry of the plant which must be met in order to allow the plant to be operated safely.

Any chemistry related functional requirement which must be met to ensure that the plant is operated within its design basis.

Any effect or consequence of chemistry during normal operations, during faults or during severe accidents, which must be understood and controlled in order to ensure the safety of workers and the public.

140. ONR’s assessment has been based mainly on Hitachi-GE’s PSR for reactor chemistry, but has also included relevant aspects of submissions in other technical areas. Hitachi-GE’s safety case for reactor chemistry, as presented in those documents, is summarised as follows:

The PSR for reactor chemistry describes the basis for chemistry management of the UK ABWR. It contains a description of the operational chemistry for a number of systems in the UK ABWR where there is a requirement to maintain chemistry control for safety purposes. The systems considered do not represent all of those where such controls may be needed, but were selected by Hitachi-GE on the basis of their safety significance. These include the primary cooling water, spent fuel pool, component cooling water, suppression pool and standby liquid control systems.

The main output from the PSR is a set of claims for reactor chemistry, which aim to link the operating chemistry with the safety related functions it provides. The claims vary by system, but relate to some or all of the aspects of the following: maintaining fuel integrity; maintaining structural material integrity; reducing dose rates; minimising radioactive waste; and minimising radioactive releases to the environment. The overriding claim is that the operating chemistry reduces risks to ALARP.

141. ONR’s Step 2 assessment of the reactor chemistry aspects of the UK ABWR preliminary safety case has identified the following areas of strength:

Overall, Hitachi-GE has identified the operating chemistry for most of the main safety related systems in the UK ABWR, has linked this to the main safety related functions it provides and has identified a reasonable set of claims. While in some areas the claims are still at a high-level, and do not yet fully consider matters outside of the operating chemistry (for example the supporting engineering), ONR have no reason to suggest that they cannot be further developed as GDA progresses.

Hitachi-GE is considering the ALARP operating chemistry regime for the primary cooling system of the UK ABWR.

Hitachi-GE appears to be considering the impact and interactions that the reactor chemistry choices have on other aspects of the UK ABWR design in an appropriate manner.

ONR are confident that Hitachi-GE should be able to provide the arguments and evidence as necessary to adequately support the claims that have been made on reactor chemistry during step 2.

142. In addition to the development of the full reactor chemistry safety case and the need for additional claims on chemistry, ONR have identified the following areas that require follow-up:


Definition and justification of the radiological source terms for the UK ABWR during normal operations, including a demonstration that the risks are reduced ALARP. An RO has been issued during Step 2 to address this matter.

Generation, accumulation, management and mitigation of radiolysis gas during normal operations and the safety justification for this in the safety case.

Justification for the material choices for the UK ABWR and how this interacts with the operating chemistry and arguments which may be made regarding structural integrity and minimisation of radioactivity.

Justification of the claim regarding pH control in the suppression pool, in particular whether it reduces risks ALARP.

Development of the chemistry related aspects of the design basis and severe accident analyses for the UK ABWR.

143. Overall ONR are satisfied that Hitachi-GE has established reasonable claims in the area of reactor chemistry, and are confident in Hitachi-GE’s ability to further develop the reactor chemistry aspects of the UK ABWR safety case during Step 3, Therefore, ONR see no reason, on reactor chemistry grounds, why the UK ABWR should not proceed to Step 3 of the GDA process.

9.4 LONG LEAD ITEMS

144. Large plant items such as the reactor pressure vessel take a long time to manufacture and are typically the first items to be procured for the construction. It is possible that such items may need to be ordered whilst the GDA assessment is on going, which presents a risk to the potential licensee in that ONR may identify technical issues relating to the items (e.g. material composition) after the order has been placed. Therefore to reduce this regulatory risk ONR has committed to assess such items early on. Hitachi-GE has committed to working with Horizon Nuclear Power on the list of long lead items, for submission to ONR in December 2014.

10 CONCLUSIONS

145. This report is ONR’s first public report on the ABWR and it comes at the end of Step 2. We have considered the fundamental safety and security aspects of the design, and the Environment Agency has considered the environmental acceptability of the design, which is reported on separately.

146. Overall, the interactions with Hitachi-GE as the Requesting Party (RP) throughout Step 2 have been positive, and ONR generally considers Hitachi-GE to be responsive, determined to understand and meet UK regulatory expectations, and open to constructive challenge and engagement. Hitachi-GE has worked consistently hard throughout Step 2 to provide material that meets UK regulatory expectations, which is to be commended. Their knowledge and understanding across the majority of the engineering and systems disciplines is generally good, however, in the science areas, and in particular Probabilistic Safety Assessment (PSA), ONR generally considers their knowledge of UK regulatory expectations to be less well developed, and we have been working with Hitachi-GE to bridge this gap. Furthermore in some of the science areas there has been very limited progress and a lack of material for assessment during Step 2. Where this is the case ONR has worked with Hitachi-GE to establish forward programmes of submissions to build regulatory confidence, and ONR is clear with Hitachi-GE that meeting the milestones in these plans is vital to continued progression through GDA within the timescales set by the RP.

147. ONR have also been able to highlight design modifications that will be required, which we consider a significant success at Step 2 as Hitachi-GE has the time to complete the analysis we will need.


148. There is a considerable amount of work to be undertaken by Hitachi-GE going forward, requiring significant capacity and capability across all of the topic areas for the RP. ONR will continue to rigorously assess the safety and security submissions throughout Step 3 and Step 4, and ONR will address potential issues of capacity and capability should they arise. ONR will also consider Hitachi-GE’s ability to produce holistic safety cases that recognise the dependencies between the individual technical topic areas as GDA progresses.

149. In summary, at the end of our Step 2 assessments we have not identified any fundamental safety or security issues that might prevent issue of a DAC or that would need to be addressed in order to acquire one.


11 REFERENCES

1. ONR Nuclear Safety Technical Assessment Guide. Guidance on the Demonstration of ALARP http://www.onr.org.uk/operational/tech_asst_guides/ns-tast-gd-005.pdf

2. New Nuclear Reactors: Generic Design Assessment Guidance to Requesting Parties. ONR-GDA-GD-001 Revision 0 August 2013. http://www.onr.org.uk/new-reactors/ngn03.pdf

3. Strategy for working with overseas regulators on the assessment of the UK ABWR.

4. New nuclear power station Generic Design Assessment: Safety assessment in an international context.


http://www.onr.org.uk/operational/tech_asst_guides/ns-tast-gd-005.pdf

http://www.onr.org.uk/new-reactors/ngn03.pdf

12 ANNEX 1 - STEP 2 DESCRIPTION AND AIMS

O STEP 2: FUNDAMENTAL DESIGN, SAFETY CASE AND SECURITY CLAIMS

OVERVIEW

Step 2: Description and aims

Step 2 is an overview of the acceptability, in accordance with the regulatory regime of Great Britain, of the design fundamentals, including review of key safety and security claims.

This step may take around 6 to 8 months, assuming the ONR GDA team is engaged on a single reactor design assessment.

The aim of this step is to assess the key claims and identify any fundamental safety or security shortfalls that could prevent the proposed design from being licensed in Great Britain.

A related aim is that the RP will come to fully understand the regulatory approach used in Great Britain and thus ensure that an adequate safety case and a suitable CSA submission will be developed for Steps 3 and 4.

It will also introduce ONR inspectors to the fundamentals of the design and provide a basis for planning subsequent, more detailed, assessment.

Step 2: The RP is required to:

Provide a Preliminary Safety Report (PSR), that includes sufficient information for ONR’s Step 2 assessment, in particular:

A statement of the design philosophy and a description of the resultant conceptual design sufficient to allow identification of the main nuclear safety claims including identification of hazards, control measures and protection systems.

A description of the process being adopted by the RP to demonstrate compliance with the legal duty in Great Britain to ensure risks to workers and the public arising from the operation of a power station based on the proposed design are reduced ‘So Far As Is Reasonably Practicable’ (SFAIRP). It should be noted that for ONR's assessment purposes the terms ALARP (As Low As Reasonably Practicable) and SFAIRP are interchangeable and require the same tests to be applied (refer to Section 5 below for further information).

Details of the safety principles and criteria that have been applied by the RP in its own assessment processes, including the control of risks to workers and the public.

A broad demonstration that the RP’s safety principles and criteria are likely to be achieved by the design.

An overview of the approach, scope, criteria and output of the deterministic safety analyses.

An overview of the approach, scope, criteria and output of the probabilistic safety analyses.

Specification of the site characteristics to be used as the basis for the safety analysis (the 'generic site envelope').

Explicit references to standards and design codes used, justification of their applicability, and that they represent relevant good practice, and a broad demonstration that they have been met (or exceptions justified).

Information on the quality management arrangements for the design, including design controls, control of standards, verification and validation, and the interface between design and safety.

Details of the safety case development process, including peer review arrangements, and how this gives assurance that nuclear risks are identified and managed.

Information on the quality management system for the safety case production.

Identification and explanation of any novel or complex features, including their


O STEP 2: FUNDAMENTAL DESIGN, SAFETY CASE AND SECURITY CLAIMS OVERVIEW

importance to safety.

Identification and explanation of any deviations from modern, international good practices.

Sufficient detail for ONR to satisfy itself that its Safety Assessment Principles (SAP) are likely to be satisfied.

Where appropriate, information about all relevant assessments completed by overseas regulators.

Identification of outstanding information that remains to be developed and its significance.

Information about any long-lead items intended for incorporation into a plant constructed in Great Britain that may be ordered or manufactured during the GDA process.

Information on radioactive waste management and decommissioning.

Information on the reference design, safety and security submission freeze that will be applied.

Security related information covering the reactor technology concept, physical layout proposals, computer system security requirements and proposals for identification of Vital Areas.

The RP will also be required to provide the first Master Document Submission List.

The RP will also be required to respond to questions and points of clarification raised by ONR during its assessment, and to issues arising from the GDA comments process.

Step 2: ONR will:

Undertake an assessment directed at reviewing design concepts and claims. This will include:

The design safety philosophy, standards and criteria used.

The approach to ALARP.

The fault study approach including Design Basis Analysis (DBA) and Severe Accident management.

The probabilistic safety analysis (PSA) approach.

The overall safety case scope and extent.

An overview of the claims in a wide range of areas of the safety analysis.

The generic site envelope and its relevance to the safety case.

The proposals for nuclear security.

The proposals for the reference design and safety submission freeze (for the purposes of GDA), including proposals for management of design changes

Identification of any matters that might be in conflict with Government policy.

Identification of any significant issues that may prevent ONR from issuing a DAC.

Consideration of outstanding relevant issues raised through the GDA comments process.



O STEP 2: FUNDAMENTAL DESIGN, SAFETY CASE AND SECURITY CLAIMS OVERVIEW

Step 2: ONR output

A public statement from ONR on whether any fundamental safety or security issues had been identified that might prevent the issue of a DAC or that would need to be addressed in order to acquire one.

Publication of a summary report to support this statement.

The relevant internal ONR assessment reports will be published, along with any other reports relevant to Step 2.

Confirmation that the design can move to Step 3.

It should be noted that ONR’s judgement on acceptance in principle will be subject to the proposed design concept and RP's design criteria being realised in the detailed design, and the safety case claims being supported by appropriate arguments and evidence.

step 2 assessment summary report

Documents